Let's say I have these kind of requirements:
User A in Role AA needs to be able to update all entities of type A1.
User B in Role BB needs to be able to update only the entities of type A1 with the primary identifier of "2", which I'll call A1("2"), and can not update any other entities of type A1, but can add or delete any number of child entities of type B2 to entity A1("2").
User C in Role CC needs to be able to edit most but not all of the properties of these children B2 entities belonging to entity A1("2"), nor can members of Role CC add or remove B2 entities from A1("2").
User D is in Role BB and Role CC, and as a result of the combined memberships, has the permissions derived from a union of the two sets of permissions (in this case, because Role CC permissions are a proper subset of Role BB, this means User D can do everything allowed for Role BB).
And so on. These policies may be changed after deployment, and so should not require major re-development work to implement the changes (like what might be required for a declarative approach to solving this problem).
I'd assume that access-control lists (ACLs) would be stored alongside or inside the objects being protected.
I presume that the developer writing the code needs to be able to imperatively (not declaratively) query a single method/function/operation/procedure, with arguments identifying the current principal, the object under consideration, the operation being considered (maybe we call this the privilege), and then retrieve a single boolean value indicating whether the operation should be allowed or denied.
Feel free to challenge my assumptions.
Now, I already have a simple yet effective proprietary general solution in mind (based on work I've already committed to production and is working quite well). I am considering publishing this as an open-source project.
But before I take it to the next level and build this beastie, I wondered if anyone knew of a widely-accepted system, module, or library (doesn't necessarily have to be .NET) which already assists developers with implementing this kind of fine-grained control over entities (whether that means database records or objects in an ORM or whatever).
P.W. In reviewing answers before posting this to SO, I found an answer elsewhere (SO LINK) that suggested Zend_Acl might have this kind of capability for LAMP project, but I would prefer a .NET/Windows solution instead.